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ThemveiUionrebtestoamelh^^ 
enahh^usercontm^ 

preserving privacy for a user while enabling the user called access to data. The iav 
forther relates to a verifier device for preserving privacy for a 
riled access to data. The invention * 



In 1 1 



relates to an issuing device for preserving 



Oed access to data. The invention fori 



privacy for a user while enabling the user com 



to data. 



Theinv 



privacy far a user while enabling tfce user 



relates to a 



program product for preserving 



lied access to data 
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The SFKI/SDSI (Simple Public Key Ihfoistructee/Siinple Distributed 
Security infrastnictnre) cem^ 



I 25 



certificates", WS&Bm &1 mbsmB^sM^L Within this finmeworic, 
authorization certificates can be defined by means of which an authorization or right * 

... . * — ~~ v,, ™ antlioritv which signs the certificate, hi addition to 
granted to the public key of a person by an authority wmcn signs u«= 

bnand the subject. SPnaufooWon certificates also fa^ 

1 may also include a validity e^ecification for u^ certificate f J 



Hiil«ifK>;»H*J 



the a 

of the issuing a 
delegation tag. 



a 



dun 



aty, 



ruser 



Authorization certificates may be carried by the user (e.g., m 
devices), or maybe available anywhem in the network (to awoM the burden on the user of 
carrying all bis certificates) to aUow easy access to those certificates to a verifier, m tins case, 

all infSonnation present in the a 
anyone to see. 



Beats is in the dear in the network and available for 



For aumorization certificates, their issuing, their possible public wide 

availabmtyasweuasthe^^ 

disclose to other patties their association^ a given auto 

a^orizationsasrigb*^ 
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cor^ Privacy 

globally unique identifier of the user. MQreova.it is easy to bind a pobHcfc^ to its ownai 
since Aekeyispubkcandftisusedin any transaction to antb^cate &e nser. Second, the 
availabffitydisonss^ 

authorization certificate available everywhere m the netwoik) betwe^ 
authorisation. Third, given a certain pubfc key, Le. a certainpen^ 
observertofindanfteaiaiiarjzatioa 

the network On that public key. Fourth and finalfy, even if certified 

privately by users, the certificate iss^ 

association between the user and the antiicrisation, since ^ 
certificates. 

A solution is required dot ensures and preserves privacy fbr users wi& re^ 
to their certificates, while allowing easy access auy tune and aiiywht^ to 



by a verifier. 



58 



In patent plication EP03 1 00737,0 



(attorney docket PHNL030293), a 
is descnTjed aiming to present - 



• * ; • » : » ■ » s a I«j< ■ V>; t > 



check the certificates. 



ions that 

can be used m an access and aufeoiizatira 
aid secure check of the usera entitiemert to ^ 

between user identities and content ^If^comm^tim^amamltBvm 
identity (the public key) in the user identifying infonnation, while still aUowing any device to 

solution stfll suffers from privacy problems. When a user 
it, Ms identity is reveal^ 

fcy. In toe process of a user accessing coiiten^ however, the di^ luways 
learns the public key of the user, revealing his identity. Even wtuse, it enables teat all the 
usert actions of access 

iers, the nser can be tracked. Also, there is no privacy towaids toe c. 



linked to his i 



»if:i«[vi|i 



•Jill 



I l(V^;ii 



issuer. 



There is therefore a ftruwneed to irovi^ 
as the certificate verifier and also the certific 



b issuer. 



It is an obj ect of the present invention to provide a method for issuing and/or 
verhying a certificate for a user, preservh^ privacy fi*^ 
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certificate issuer and certificate verifier ftom teaming ^tweridenlily^lic key) of ftat 
user, in a way fiat 4e two's entitlement to the certificate 



10 



n still do 'verified. 

This object is acMevedby a method of preserving privacy for a user while 

enabling the uses control^ 
identified by a user icientity, the me^ 
access rights wife the n^ identity, vrf^ 

die certificate comprises publicly available solution information P, a concealed secret S' is 
lblicly available, the method further comprises at least one of. 

a certificate verification process between toe iisera^M and a verifier device, 
a certificate issuing process between the user device and an issuing device, and 
n ^fRnnte Tft-iogninp process between the user device and the issuing device, 
wherein the certificate verificatim process cornprisestiiestq«sofi 

fa; ui» device obtaming the 



COT 



15 



20 



the user device retrieving the 

the verifier device obtaining the solution infoimation P from the certificate, 
the user device proving to the verifier 
the verifier device learning the secret S or the user identity, 
ffftf rtfifttifft jggnmg process comprises the steps eft 
generating a secret Sand a sol^ 
concealing the secret 5 into a concealed secret S \ 
the issuing device issuing a certificate comprising at least fte solution 

afionP, 



in 



ittf ii 



25 



wherein the certificate re-issuing process comprises the steps of. 

the user device obtaining the concealed secret S' corresponding to the 



certificate, 

the user device retrieving the seci^Sftomftoccmcealed secret S', 
the issuing device obtaining 

the user device proving to the issuing device that it fawro 
30 the issuing verifier device learning the secret S or the user identity. 

generating a new secret S2 and new solutim mfiamiatian P2, 
concealing the secret S2 into a concealed secret £2', 
the issuing device issuing a new certificate comprising at least the new 
sedation information P2* 



inmu 
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public key are not available in clear format in the 
certifies and are alwnotneed^ 
aufcorizBtionisv^ 

m the authorization. 



Because the secret S itself is not revealed, lliemifiarcannotiii,^^^ 
himself as the user related to the Baibomaao^pnwyispKsa^ 

An advantageous himlemenlation of n« method accoiding to dte inv 
described in claim 2. The concealed secret 5' is now also conv 



ion is 



-jlHi'lH 



y stored in the 



10 



die secret*?. 



retrieve 



15 



A further advantageous inmlemenlation of the 
is described m claim 4. 

An advantageous implementation of the 



ingtothe 



, _ . accordmg to the invention is 

describedm claim 5. By the use of random information, me secret 5 a 



20 



tic session key K the issuing 



25 



n be better concealed. 
A further advantageous implementation of the method according to the 
invention is described m claim 6. By using a Sero knowledge protocol between the verifier 
and tte user, the knowledge^ 

A further advantageous implementation of the method according to the 
mvenrion is described in claim 7. By establishing a ayj 
process is protected. 

A further advantageous implemenlHuor 
Invention is described in claim 8. la order mat 
Preferably generated by the user device itself in the issuing process. 

The invention can be applied advantageously for an authorization certificate, 

1 in claim 9, or can be applied advantaBEoimlv Hxr „ :_ ... 

^ wwawageousry inr a daman certificate, as defined in 



Of the method according to the 
ty else knows the secret S, the secret is 



claim 10. 



30 



mpatent application BPO2079390.7 (ammieydc<toPHNDJ2io©),a 
is proposed wWch describes an arcb^ 

A (who bought the content) may access content 1 on a device by means of authentication, 
e.g. with As user device, and the xuoge nfeto certificate, a certificate which K 
rights l-IW M B,C,andD(wtobelongtofo 



A to contest 
1 on 



K«Ml»>tii 
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a device by means of a nt h mticatk m based on the usage rigi* certificate which links A to 
content rights 1, and the domain certificate, a c&tifk^ 

together. When a person performs an action that requires him to show that he is a participant 
in a domain, his user identity (public key) is revealed as it is part of fee domain certificate. 

A domain certificate according to the invention contains one or more 
concealed secrets of which fee secret can only be retrieved (and knowledge thereof proven) 
by the domain members. This enables the domain members to anonymously prove tih 
membership in the domain. 

An advantageous implementation of the method according to the inv( 
described in claim 1 L As each domain member has access to the secret domain key, the 
domain members made retrieve the secret S from fee domain certificate. 

A farther advantageous implementation of fee method according to the 
invention is described in claim 12. The usage right certificate may comprise a concealed 
secret (such as D in fee second embodiment described below) feat links fee usage right 
certificate to a domain in order to allow the (other) domain users (the co -users) to prove their 
entitlement to fee usage right certificate. 

A further advantageous implementation of the method according to the 
invention is described in claim 13. DiEfaent access levels can be from last by having a rule 
wife rigftt specifications, stating fee diffeCTtpennissions auseris caititiedto when proving 
ra 



It is a further obj ect of fee present invention to provide a user device that can 
request a certificate or prove entitlement to a certificate according to fee invention, 
preserving the privacy of its user identity. This object is achieved by a user device being 
arranged for issuing a certificate according to claim 1, comprising: 

receiving means for receiving process information, 

computing means, comprising processing, encryption/decryption and storing 
means, for engaging in at least one of fee certificate verification process, the certificate 
issuing process, and certificate 

transmitting means for transmitting process information. 

It is a further object of the present invention to provide a verifier device for 
verhjring a user's entitlement to a certificate, while preserving the privacy of fee user. Tins 
object is achieved by a verifier device being arranged for verifying 
claim 1, comprising: 

receiving means for receiving process information, 
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storing 



venncafcon process 

««0mg a certificate according to the inmrii^™^^ ^^^ "^ d ^ fe 
ufldii««wii , . preserving the jmvacy of fte iisear IhiaoT ' 





* 




n 



10 



ccniprising; 

CQn ^^n J8 a ns ,con^dngp I oc 
"wans, fiw engagmg i, at least 



1, 



'& encryptian/decryp 



one offte certificate issuing process 



storing 
certificate re-issning 
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20 
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It is a ftrtber object of the present invention m 
Pnvacy while enabling the user contmli^ „ 8 ^ f <* preserving 

oflmrfn--. controlled access to data. This object fe «nk.«^ i_ . 

c «n 5 ong at leastpait of a certificate aa used in the me *w ^^"^^ by a signal 

T . . ™"^ m niemettu)d according to claim 1 

fte certificiteie.igsin^p rolocol> ^ 
^ certificate verific^onprotoeoL 



^nstoictions coaiprisinga 

oaputer execute, when o^vi . 
in the computer, irnplenoentiag at l^l^Z^ TT* ^ ^ « loaded 



computer program 



It should be understood, that although th* - , 

^^thattheteverrfionisnotlir^ 

unonnation can be mmftai.i A i_ . . , 0816 per se. The samepohHcivflvs 



beavafl^leinwboleOTinparteand 



be separately certift 



poMcly available 



^-Ple and with refeence to the schematic dnrwings, ^ which ^ * ° f 

%. 1 fflustrates a v^otfioiiprxrtDcol, 



PHNL031509EPP 

n 24.12.2003 



5 device. 



Fig. 4 iltasttates a verificaticaipiotocol for a domain co-user, 
Fig. 5 illustrates an issuing protocol for a domain user, 
Fig. 6 illustrates a issuing protocol for a domain certificate, and 
Fig^flfostnu^as 
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20 



In a first embodiment according to the inw 
comprises different d^^ 

for example be a smart card or a USB dongla. Farmer shown te an issoing d^ 

issuing certificates, a verifier device 70 1 for verifying a certificate which gives entitlement to 

content, atulaomtem device (which 

but which could also be a different device) for jwvidmg content Thew 
interconnected through anetwc^ 

with communication channels 741 and 742. Bach of the devices 701,71 1,721 has receivings 
means 706,71 6,726 for receiving information from a network or irom other devices, for 

example durmg the protocols das^ 

g means 707,71 7,727 for transmitting during these protocols, and has a processing 

it 702,712,722 for processing 
cemmrising a processor 703.713,723, a memory 704,714,724 that can also store key 

mfoxmaticn. andencrvntion/o^ 



25 



30 



ir;ir.:iiii|>'it 



Verifier devices and user devices are asiramed to 1» cewmfiont This means 
totmese devices «mn^ 

device mis means, for mstanc* that ft does not output co^ 
For a user device, mis means mat it keeps ite secrete secret, and mat it m 
and requests posed to it in foe expected way. 



The a] 



certificate is a person's right to access apiece of content, 



and it is repres 



Jby means of foe content right id 



be defined as { crjd , PK}***, where prismepuWiokeyoffoe 

rig * to access contort 

men anserv^ to access content vrifotiris certified 



the certificate- When a user Wants 
verifier device which is able to give 



lUit 



directly or indirectly access to the o 



aaflienticalioanrastbe per 
between the verifier device 



e^wmchcmbeacconnilishfidbymeansofat 



• User 



user device (e.g. a pemonal smart card), which is 
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20 



war. Moreover 

write**, " " P °^^ 1 »«'''«otaortrf p> 
Hutwtae. "«i"MwJ.lmnMl nngl , rOTraWt<)11 

whose square value, i> « s> « secrct vaIne J « 

a»«eiSgbtcertificate={^ tfj p W - M 



25 



_ * BWH »vamei^' Ma i S01ffliqaeper 



however, which is the 



certs 



rf ^^(ufc, for each 



. The user identity pjr 



same for all certificates of* - . 



30 
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leam that value and also not die identity 0 f fa 
Hie user. 

Note that it is 



user 
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tayPKpreseniag the privacy of 



n B step or user authentication happens implicitly when fa user device n*™™, ^ ... 

for only a user who knows fa prf^ ^ ^JL^ 

, -^>v B me private Key SK, corresponding to the user Dubiic k«v ,„ 

^tDdec^/> W7tootednfllBValne& ^PUWickeyPj^ 



0 of a verification 



10 



15 



tocoi^onlytouseav^a.eeidifledtoitTWs 8™**** 
protocol as illustrated in Fig. l . a user device 1 1 0 toat cn^,- 

I^kByofthenser.andavenficrdevicelll veri^a * *° 
ilhiBh-^ • . . ii l vernymg (he auAonzHfacm certificate, 

flh^ along the timeline 

cr tfandcnrfoJlT^^ 

cr.WaiuioptioimUylc^infi^ " 
locator c^ be senttonelp the verifiexdev^ 

die verifier device retrieves die correct usage right certificate, 
J^ 3 * ^ ^ device sends the value PK& to fa w ^ 

« its private key (by 



cr J<£ The optional 



I ■111*:; 



n.tli 



■""tfMffrttKfrtii 



20 



25 



the user device retrieves the value S 
happens implicitly), and 

convinced that the user device knows die sooare rant rrf d ** . BU ™ CJfflffl 5 r 

device acts as con*** * ™ ^ * *** iBB "*«k If the verifier 

o^ acts as contem device, it c« grve fa 

m conannnicaie fa results Id a dHfcrent device operatingas 



variation, fa verifier device 
content device. 



Hg. 2 illustrates an issi 
device 210 and an ii 



Mill? 



30 yet fa issuing device 



ensure 



«protxxx)ldongatimeline220betweenau S er 
- ^ , . device 21 1, that provides privacy for users ^ 

"wnng device as well. This mechaniam alimm, ^ wnmcate 

nKcnanuun allows users to anonymoush/ acquire fa certificates, 

aigiiedbvbimwfflbete^^ J**"^^ 
j^Dynnii.wfflbetegtoroa^ 

buying, a mechanism nrost be nroviHpH f™. * . 



described in EP03 1 00737.0 



(attorney docket PHNL030293), in which fa user buys 
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■IT* 1 1 



>'■:•) r. inn 



wants to obtam the rigte^ 

ynwualy with a request for * <*"*<*» the igsomg device 

8 . t0r ^ymous buying. The protocol 



10 



arts of the following 

«~^paraesarethesan»throuohonttfiAi m ,^. 
« for example established by trans™ JTZ!^ ^* 



device's public key, 



yption with tbe user 



^ 232: the 



user device sends a leona* ^ a 
^ doVMB 4e validity of £5^ h 



15 identifier, 



^vaKdatesflie token 



nsmits 



■top 233: the user device 



20 



preferably 

the issuing device creates 
above, and the issuing device 
tbe network. 



5 



Mr Oat certam user, for example as a 



present. 



certificate has 



Re-issuing of certificates 



Mill ir, 



<^ be usefidro ce«am cases, such 



as when a 



Kfi ^ OT ^^«flim»priatevali te 
^casemece^catesho^bere-iss^ 



between a user device 310 and an issuing oeZ ^TT* ^ 8 ^ if ^ protocol 320 

startedbythe user Aatowns me in^ri^ 
device anonymously with a request fin* the re-issuing^ contacts the it 



issuing 



. (Hi 



4wicem.Kn.B_ ™™"« "■«0|> 331 



user 



5 



ill rv-; 1 1 : 



tolhe 



15 
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orflieiBfi^cccr_^to^oldQsa^ti^catificatB, 

the issuing device has received or can now retrieve the P and PKfSJ values for 

the old usage right certificate, 

step 333: &e user device proves to the issuing device that he is die legitimate 

owner of that usage right certificate by proving knowledge of fee value 5 in the certificate 
(just as with die device when die user requests content), 

the user device generates new values P arid PTOfiw die new usage ri^ 

certificate, 

10 _ step 334: the issuing device receives the newly generated values P and PKfSJ, 



die issuing device creates and signs die te-issued iisage right certificate, wWch 

can then be made available in the network. 

Bach time a user accesses content, he shows his usage right certil 
verifier device. This may allow cc-optarating verifier dev^ 

involving d» same usage right certificate (Le., me same content) are all linkable via its values 
cr id t P and PKffl. m case the jflSbhc key fa revealed duiing a shigte to 
accident or by an attacker), all the other transactions involving die same usage right 
certificate can be linked to that user. However, as long as die user's identity is not revealed, 
the transactions can be linked together but not linked to the user. 

The linkability can be reduced by reissuing with fresh values ciPaodPK[SJ. 
For full privacy, this should be done after each single use. Such a re-issuing may be 
prohibitive m cases where it creates too rnuchof a hrmien on u^ issuing device or user 

device. Besides, auser c^cerrri^ not even be abk to 

content access request Therefore, privacy threate must be wdghed a 

frequent re-issuing, especially m tt» caw of usage rigid certificates w^ 

happens m requests for die sanw 

issuing, or re-issue only on request of die user. 

The re-issuing ofa given usage right certificate, fa especiatty useful to ca^ 

user's public key is revealed, for example daring a verification protocol. Re-issuing witt then 

prevent that the user fa tr^ 

m a finrt variation of the first onbodiment, the invent 

of the usage tight cenlfioan^ 

be kept secret and Bhouldremain avaflabte onb/ to the user. H w 



20 



25 



30 
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vaheS h obtained 
"fright certificate 



10 



15 



^wiedge of those two values, follow ^ 
. wides additional security: Wmgfonnat 
usage right certificate m o ' mm 

6cflitMt! <l by m additional field, ^^T^C ^ 



24.12.20 
"which the 



lit 



osed is assume tobe resistant • pmpo8eHere > 
^ an attacker cannot easily fir- - - a 8^Wn plain- text 



S&lcrjdJ. fa such 



20 



25 available 



~— » -re possible, two alternative imnmv^ « T 

"«uvc unproved terms fbr/o^ 

^mfe may be calculated as r . 

1^ — * 4 • 



30 



of the membera. To achieve tine _ ^_ 

,tta ^ans,thenewtonnatforthe 



domain 



ificate is; 
domain certificate 
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where djd ia Has d 



calculated as P « (SE&[S)f, 



if 



'i ' l M i M 1 i it 



symmetric domain lrey shared by domam members only, and stored in their user devices, S 
is a value which is generated when the domain certificate is issued, and PK[S ], PPfSJ t 
PK"[S], ... are me encryptions of S with the respective pubbc keyB of all domain members. 
The domain certificate is preferably signed by dm domain authority DC. 

* 

With the finmat above, users who are a domammeniberc^ prove to a verifier 
device that they belong to domain djd by means of a zero-knowledge protocol where they 
prove knowledge of the secret value SKpfSj^.TUa value can be calculated only by 
domain members, who can obtain S (by decrypting one of the terms PK[S J, PJC[SJ, ...) 
and encrypt it with 5Kb. The value § is a secret vatoewhidi is geneiated and used by ttie 
domain certificate authority upon the issuing of the domain certificate. Its knowledge would 
allow any person to check if a certain public key belongs to domain djd. 

The finmat tor toe usage right certificate, feat Imls to the domam wi 
ier having in the clear, is for example defined as follows: 
usage rightcertificate= {<rJd,P,PK[S] ,D}^ 

3 calculated as D^fSKofS x crjdj / and the symbol x indicates 
of numbers in Z„ * (the value crjd is also chosen in 2^, *). 
The value D is used to allow any other donwfa user (a soKjalled co-oser 
Fove to a verifier device that he also is ratified to access content crjd. He can do so by 
means of a zero-knowledge protocol in which he proves knowledge of the secret value 
SKd[S x crjd]= Jd . 

In the protocol the domain certificate is needed moidafi* IP too 
value since it is not kept m storage to 

multrohcanon of S hycrJdm^fayntaeDdme^fodffiamw^ji& 
certificates. As with ^/^te 

Devices mast be capable of chec^ fl» certificates in arte 
only to usera who are entitled to the amt^ 

any other co-nser XT (whose public key is PK 1 ) in the domain. The verification protocol for 
4edKddngbyavraffierdevice of the usage rigjit certificate of user U is equal to the 
protocol as used in the first embodiment For co-roer XT 9 the verification 
«*ematicalfy in Fig, 4. User device 4 1 0 is now related to co-user XT . The verification 
protocol with the verifier device 411 consists g£ 



where the 
multip 
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device, 



10 



™ to prove its knowledge of ^ y== ^ P 



^er device to te toowle4gB ( 

if the verifier device is s 
<^ square root ofP (fitnn tr^ dornain 
^ certificate), ft can ifcen ^ ^ ,.„. 



device knows 



20 



>g the content 



Alio 



•jnn 



domain 



P^cfc^swerensedtoenovnt 
^ccnteintbesecwtdoBteint e* 3 ** ^ m the 

calc^afeg^,, ^ - ^ k6y ^ « «Pabk of obtaining £ 

^r^ _ proof of knowledge of . 



25 



^ MteftrooM «°-.«lo<hadomafc. 



f r t * :«c 



to usage 



illustrates the hnplcrnentati 
privacy towards the cartifi^ 



while 



30 



consists o£ 
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15 



20 



^ 531 ; a ajnnmetac session -^„, 
^^*»N*dev^ 

S ^ that the communicating parties JT^ <° 

~"™"OK»imgjjajttes are the same mnmflhoiathelimrfn**- 

** »2: the user device sen* *, sj^^ ^ tanS8C ^ 
stenw.*. . . iWiara0J y enwyptedTOfl! the session key* 
encrypted with the session key £ ^ g Preferably 

me issuing device verifies the validity of fiSf , 
based on the domain idfent.-4T — mat identt 

step 535: the user device sends me values P Dirnr, 
^ce.The^vatoesaremrf^.t.K, B ~ ,ll0Wh8B ^«H7«ii> to the issuing 

vaioes are preferably concatenated with cr «/» - 
toe session key Z, and 



signs the usage right certificate, 



25 



the issuing device creates ai 
available in the network. 

belong to any domain, thera is no domain 



makes it 



ieate 



issuing device or user device 



30 



whichmevame^caubeobJamed 

ft is a fcrtber advantage of this embodiinent that ^ ^ , 

a^tobuy content for exarm,!^ ^ a^genght certificate for that user. TTna 

T^ toe ^ leM apresent,tbradmrentoser 

p. , _ ^J^l^tbeisaningofdoraarace^ n 
Fig- 6. domain certificates are issued to a nser devi™ Sh ° Wn ^aticaUy 

<^amhority 6ll ^^^ 

«wws or learns the users' identities mid »nbH« i*. 



m 
a 
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which are to be grouped together in the certificate. This auliiorily ato generelM the hjo^ 
value § andadomamidenM^ 

secretly a symmetric domain toy SKd Of one ^mA^Ox^XyMGhistobe stared ia 
meif oser devices. The valoes S and 
acconrolishedbychcwsing Se zSaulSKoe Z,'. 

The domain certificate ksimig protocol 6^ is esb^ 
authority and the user device of a domain user, with all 
Authenticated Channel (SAC). 

step 631: the domain authority successfully ai 

the domain authority generates a ra 

djd, 



**JMit!t«fitf*:t*{i>i 



icatkm done via a Secure 



tea the user device, 
value S and a domain identifier 



15 



20 



25 



30 



step 632: the domain authority sends user device £ and d id, 
me user device men calculates P » (SK D [S ] ) 3 , 
step 633: the user device sends P to the domain authority, anc 
die values PKfS J, PK'fSJ, ... can be calculated by me autho 
together wim£ and they era 

1^ the issuing of a domam certificate 
S and the association between the domain identifier djd (and also P) and the public keys 
of the users in the damain. It does not learn, however, the value SKrfS J which can only be 
calculated by dcnaammemb^ P=5 J ,in 
order to make sure die domain certificate can not impersonate himself as a domain member. 

metheraMtsert/' accesses to 
even mough he is ahvays linked todies^ 
Aedomadu The feet mat ftemMclo^tf donwm 
domam certificate also remfenx^m^ 
Hnb^ of bis tomsacttow and g«^ 

via bis domain membership. Ai^ymity within the domain is especMy advantage™ " 
the domain is not too small. 

Re-issuing of certificates as described tor the first embodiment ala 
Kakaihfi% of users' transactions fax me second embodiment 

Note that the user U still can prove lhat ft lmows SwMch gives the 
advaimu^o^ac^erirtemedomamwhocamrt This difference can 



EHNL031509EPP 



17 



24.122003 



advantageously be exploited in situations where the user should have more privileges than 
the other domain users. For example, the other users could have time limits or frequency 



li 



irruc 



10 



15 



on contrast access* 

In a different enviri^^ 
control to e.g. medical data, one couM 

Us own data, white ihe other users limited access to his medical data 

In yet a different environment, the u^ 
other users only have read access to data. 

This could be foimalized by having a rule with rights specifications, stating 

the different pennisMo^ 

(also) able to prove knowledge of S. 

In a first variation of the second emlKxiiment, when the user U does not need 

fecial privileges compared 
to: 

usage right certificate = { crjd J)}«^cp 
because any user in the domain (and only users in the domain) can prove to know D. It is 
therefore sufficient to prove knowledge of D to prove entitlement to access crjd, and there is 
no reason to include P, PK[Sf in flie usage right certificate anymore. 

In a second variation of the second embodiment, the usage right certif 
could be simplified by replacing D with djd. The usage tight certificate then looks li 

usage right certificate- { crjd , dJdSa&cp 



i|t[t»:ir* 



25 



or 

usage ririxt certificate* 3 { crJd y P, PK[S] , djd }^cp 
Only the USeffi in the domain can prove tiiat they are actually a di 
therefore they are entitled to access the content crjd , which is publicly visibly tied to djd, 
even without proving any other secret than the secret in the domain certificate. Thus in the 
verification protocol step 434 can he skipped, reducing protocol cost 



30 



»ir:n 



This usage right certificate can be issued without knowing S . Hub may be an 
advantage as the usage right certificate can be borogftt by a user devire 

It should be noted that die above-mentioned embodiments illustrate raflier ti 
limit the invention, and that those skilled in tiie art will be able to design many alternative 
embodiments without departing from the scope of the appended claims. 

In tiie claims, my reference signs placed between parentheses diafl not be 
construed as limiting the claim The word "comprising" does not exclude the presence of 
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elements or steps other than those listed in a claim. The word "a" or "an" preceding an 

donaent does imt CKdude to presence of aph^^ 

d by means erf hardware comprising several distinct elements, and by means of a 

blc) unit may also 



il 



iiitiirvitir^tt'vii 



suitably programmed compnter A single 



inn 



11 the fhnctions of several means recited in the claims. 

In the device Claim enumerating several mean*, several of tibese 



nwono Aon Ko 



emb odied by one and the same item of hardware. The 



that col 



res are 



recited in 
measures 



IllUM 







r 





de 

the used to adv 



i claims does not indicate feat a combination of these 
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CLAIMS: 



of preserving privacy for a user while enabling the user controlled 



1. A 
access to dues, 

fee user being represented by a user device (110,721) and identified by a user 



identify, 

5 fee method using at least one certificate that associates data access rights with 

the user identity, 

wherein the certificate conceals the user identity, 

the certificate comprises publicly available solution information P, and 

a concealed secret S * is publicly available, 

10 the fiifcthod further comprises at least one of ' 



process (120,420) between the user device and a 



15 



20 



25 



a certificate verifi. 
verifier device (1 1 1,701), 

a certificate issuing process (220,520,620) between the user 
issuing device (21 1,71 1), and 

a certificate re-issuing process (320) between die user device and the issuing 

device, 

wherein the certificate verification process comprises the steps of '< 

die user device obtaining the concealed secret S' corresponding to the 

certificate, 

die user device nrtrieving the secret Sfttmi the concealed secret S' , 
the verifitt device obtamin^ 

the user device proving to the verMer dew 
the verifier device learning lite secret S or the user identity, 
wherein die cartfflcato iggnlwgpwwwf. fa, g^g^ ^ 

generating a secret S and a solution information P, 

concealing the secret S into a concealed secret 5', 

the issuing device issuing a certificate comprising at least the solution 

information P, 

wherein the certificate re-issuing process comprises the steps of 
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g to the 



the user device obtaining the concealed secret S 9 
certificate* 

fee user device retrieving the secret S fiom the concealed secr^ 
the issuing device obtaining the solution information P from the certificate, 
5 * the user device proving to flieissningde^ti^itfcDtf>ws^se(^S\^ 

the issuing verifier device learning the secret S or the user identity, 
* generating & new secret S2 and stew solution information P2, 

concealing the secrete into a concealed secn?tS2\ 
the issuing device issuing a new certificate comprising at least die new 
10 solution infoniiationi>2 



2. The method according to claim 1, wherein the certificate comprises publicly 

available concealed secret S\ 



15 3. Hie method according to claim 2, wherein the secret S is encrypted with the 

user's public key to generate the concealed secret S \ 



4 - Tte mefliod according to claim 1, wherein the solution information P and the 

secret S are members of Zn*, and the solution information P is the square of S . 



20 



5. TTie method according to claim 1 , wherem &e awicea 

random information RAN. 



6, The method according to claim 1, wherein the verifier device verifies that the 

25 user device has knowledge of the secret S using a zero-knowledge protocoL 



7. The ffietiiod according to claim 1, wherein the communication during the 

issuing process is protected using symmetric key encryption. 



30 8. The method according to claim 1, wherein in the issuing process the secret S 

and the rotation information P is generated by the user device. 



9. 



The 



of claim 1, wherein the 



is an authorization certificate. 
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10. The memdd of claim 1, wherein the certificate is a domain certificate. 



11. 



<:ililr:<llM*-ilMl 



The method according to claim 1 0, wherein the concealed secret S f in the 
ificate comprises the secret S, encrypted with the secret domain key. 



12. The mediod according to claim 9, wherein th^ 

the secret S, multiplied with crjkL 



13- The me&od according to claim 1, wherein the certificate comprises two 

secrets, of which the knowledge prove by a user device gives different access levels. 



14. User device (i 10,721) being arranged for issuing a certificate according to 

claim 1, comprising: 

receiving means (727) ibr receiving process information, 
computing means (722), comprising processing (723), encryption/decryption 
(725) and storing means (724X for engaging in at least <me of the ^ 
process, the certificate issuing process, and certificate re-issuing process, 

transmitting means (726) for transmitting procrftgs infc 



15. Verifier device (1 1 1,701) being arranged for verifying a certificate according 

to claim 1, comprising: 

receiving meats (707) for receiving process information, 

confuting means (702), comprising processing (703), encryption/deception 

(705) and storing means (704), for engaging in the certificate verification process, and 

transmitting means (706) for transmitting process information 



16. Issuing device (21 1,711) being arranged fir issuing a certificate acco^ 

claim 1, comprising: 

receiving means (717) for receiving process information, 

computing means (712^ comprising processing (713), encryption/decryption 

(715) and storing m*^ (714), for engagi^ 

and certificate re-issuing process, and 

transmitting means (716) for transmitting process 
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17. Signal carrying at least part crfacertift^asusedm 



claim 1. 



A compote: program product (732) carrying computet executable instructions 
5 comprising a computer readable medium, having thereon computer program code means, to 
males a computer execute, when said computer pro g ram code means is loaded in the 
computer, implementing at least one pro to col side of at least one of: 

the certificate issuing protocol, 
the certificate re-issuing protocol, and 
10 the certificate verification protocol* 
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ABSTRACT: 



10 



The invention proposes a method to provide privacy for users or a user from a 
group of users wife respect to authorizations they are granted, where such authorizations are 
eaqnessed using digital authorization certificates, and with respect to domain certificates in 
case of groups of users. The idea is to conceal the user identity in flw certificates, while the 
certificate itself remains in the clear. In mis way, certificates can he widely and openly 
available, e.g. in a public network, without a random observer being abb to link a user to an 
au&orization or to identify a user within a domain, Privacy is also provided towards the 
certificate verifier by means of zero-knowledge protocols, which are earned out between the 
user and the verifier in order fbf me verifier to check a user's entifioment to a certificate. 
Privacy is furmer provided towards the certificate issuer as well by means of a mechanism 
mat allows fiie anonymous (buying or) issuing of certificates from the issuer. 
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